[Security Rules] Update security rules package to v8.7.2-beta.1

packages/security_detection_engine/changelog.yml

@@ -1,5 +1,10 @@
 # newer versions go on top
 # NOTE: please use pre-release versions (e.g. -beta.0) until a package is ready for production
+- version: 8.7.2-beta.1
+ changes:
+ - description: Release security rules update
+ type: enhancement
+ link: https://github.com/elastic/integrations/pull/5857
 - version: 8.6.2
  changes:
  - description: Release security rules update

packages/security_detection_engine/kibana/security_rule/a198fbbd-9413-45ec-a269-47ae4ccf59ce.json

@@ -0,0 +1,64 @@
+{
+ "attributes": {
+ "author": [
+ "Elastic"
+ ],
+ "description": "This rule helps you test and practice using alerts with Elastic Security as you get set up. It\u2019s not a sign of threat activity.",
+ "enabled": false,
+ "false_positives": [
+ "This rule is not looking for threat activity. Disable the rule if you're already familiar with alerts."
+ ],
+ "from": "now-24h",
+ "index": [
+ "apm-*-transaction*",
+ "auditbeat-*",
+ "endgame-*",
+ "filebeat-*",
+ "logs-*",
+ "packetbeat-*",
+ "traces-apm*",
+ "winlogbeat-*",
+ "-*elastic-cloud-logs-*"
+ ],
+ "interval": "24h",
+ "language": "kuery",
+ "license": "Elastic License v2",
+ "max_signals": 1,
+ "name": "My First Rule",
+ "note": "This is a test alert.\n\nThis alert does not show threat activity. Elastic created this alert to help you understand how alerts work.\n\nFor normal rules, the Investigation Guide will help analysts investigate alerts.\n\nThis alert will show once every 24 hours for each host. It is safe to disable this rule.\n",
+ "query": "event.kind:\"event\"\n",
+ "references": [
+ "https://www.elastic.co/guide/en/security/current/prebuilt-rules.html"
+ ],
+ "required_fields": [
+ {
+ "ecs": true,
+ "name": "event.kind",
+ "type": "keyword"
+ }
+ ],
+ "risk_score": 21,
+ "rule_id": "a198fbbd-9413-45ec-a269-47ae4ccf59ce",
+ "severity": "low",
+ "tags": [
+ "Elastic",
+ "Example",
+ "Guided Onboarding",
+ "Network",
+ "APM",
+ "Windows",
+ "Elastic Endgame"
+ ],
+ "threshold": {
+ "field": [
+ "host.name"
+ ],
+ "value": 1
+ },
+ "timestamp_override": "event.ingested",
+ "type": "threshold",
+ "version": 1
+ },
+ "id": "a198fbbd-9413-45ec-a269-47ae4ccf59ce",
+ "type": "security-rule"
+}

packages/security_detection_engine/kibana/security_rule/ff4599cb-409f-4910-a239-52e4e6f532ff.json

@@ -0,0 +1,81 @@
+{
+ "attributes": {
+ "author": [
+ "Elastic"
+ ],
+ "description": "Identifies access attempts to the LSASS handle, which may indicate an attempt to dump credentials from LSASS memory.",
+ "from": "now-9m",
+ "index": [
+ "logs-endpoint.events.*"
+ ],
+ "language": "eql",
+ "license": "Elastic License v2",
+ "name": "LSASS Process Access via Windows API",
+ "query": "api where host.os.type == \"windows\" and \n process.Ext.api.name in (\"OpenProcess\", \"OpenThread\") and Target.process.name : \"lsass.exe\"\n",
+ "references": [
+ "https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1003.001/T1003.001.md"
+ ],
+ "related_integrations": [
+ {
+ "package": "endpoint",
+ "version": "^8.2.0"
+ }
+ ],
+ "required_fields": [
+ {
+ "ecs": false,
+ "name": "Target.process.name",
+ "type": "unknown"
+ },
+ {
+ "ecs": true,
+ "name": "host.os.type",
+ "type": "keyword"
+ },
+ {
+ "ecs": false,
+ "name": "process.Ext.api.name",
+ "type": "unknown"
+ }
+ ],
+ "risk_score": 47,
+ "rule_id": "ff4599cb-409f-4910-a239-52e4e6f532ff",
+ "severity": "medium",
+ "tags": [
+ "Elastic",
+ "Host",
+ "Windows",
+ "Threat Detection",
+ "Credential Access"
+ ],
+ "threat": [
+ {
+ "framework": "MITRE ATT\u0026CK",
+ "tactic": {
+ "id": "TA0006",
+ "name": "Credential Access",
+ "reference": "https://attack.mitre.org/tactics/TA0006/"
+ },
+ "technique": [
+ {
+ "id": "T1003",
+ "name": "OS Credential Dumping",
+ "reference": "https://attack.mitre.org/techniques/T1003/",
+ "subtechnique": [
+ {
+ "id": "T1003.001",
+ "name": "LSASS Memory",
+ "reference": "https://attack.mitre.org/techniques/T1003/001/"
+ }
+ ]
+ }
+ ]
+ }
+ ],
+ "timestamp_override": "event.ingested",
+ "type": "eql",
+ "version": 1
+ },
+ "id": "ff4599cb-409f-4910-a239-52e4e6f532ff",
+ "type": "security-rule"
+}

packages/security_detection_engine/manifest.yml

@@ -1,7 +1,7 @@
 categories:
  - security
 conditions:
- kibana.version: ^8.6.0
+ kibana.version: ^8.7.0
 description: Prebuilt detection rules for Elastic Security
 format_version: 1.0.0
 icons:
@@ -12,7 +12,7 @@ license: basic
 name: security_detection_engine
 owner:
  github: elastic/protections
-release: ga
+release: beta
 title: Prebuilt Security Detection Rules
 type: integration
-version: 8.6.2
+version: 8.7.2-beta.1